Doc# 726969130
Change Request
1
REQ#18
Phil Hawkes, Qualcomm, phawkes@qti.qualcomm.com
Wolfgang Granzow, Qualcomm, wgranzow@qti.qualcomm.com
Josef Blanz, Qualcomm, jblanz@qti.qualcomm.com
2015-07-21
As above
SER-020 and SER-021 address credential provisioning,
Release 1
Active <Work Item number>
MNT Maintenace / < Work Item number(optional)>
STE Small Technical Enhancements / < Work Item number (optional)>
Only ONE of the above shall be ticked
TS-0002 v 1.0.1
6.4
Editorial change
Bug Fix or Correction
Change to existing feature or functionality
New feature or functionality
Only ONE of the above shall be ticked
This CR contains only essential changes and corrections? YES NO
This CR may break backwards compatibility with the last approved version of the TS? YES
This CR is a mirror CR? YES if YES, please indicate the document number of the original CR: <Document Number) : NO
Template Version:27 May 2015 (Dot not modify)
©
2020 oneM2M Partners Page 1 (of 3)

7
8
9
10
2
3
4
5
6
11
12
13
Doc# 726969130
Change Request oneM2M Notice
The document to which this cover statement is attached is submitted to oneM2M. Participation in, or attendance at, any activity of oneM2M, constitutes acceptance of and agreement to be bound by terms of the Working Procedures and the
Partnership Agreement, including the Intellectual Property Rights (IPR) Principles Governing oneM2M Work found in
Annex 1 of the Partnership Agreement.
SER-020 and SER-021 address credential provisioning, and are listed as “Implemented in Rel-1”. However, regarding remote provisioning, Rel-1 addresses remote provisioning of symmetric key credentials only– and this is not currently clear from the text. This CR adds a note to clarify what has been implemented regarding credential provisioning.
Table 1: Security Requirements
Requirement ID
SER-001
SER-002
SER-003
SER-004
SER-005
SER-006
SER-007
SER-008
SER-009
SER-010
SER-011
SER-012
Description
The oneM2M System shall incorporate protection against threats to its availability such as Denial of Service attacks.
The oneM2M System shall be able to ensure the confidentiality of data.
The oneM2M System shall be able to ensure the integrity of data.
In case where the M2M Devices support USIM/UICC and the Underlying
Networks support network layer security, the oneM2M System shall be able to leverage device ’s USIM / UICC credentials and network’s security capability e.g. 3GPP GBA for establishing the M2M Services and Applications level security through interfaces to Underlying Network.
In case where the M2M Devices support USIM/UICC and the Underlying
Networks support network layer security, and when the oneM2M System is aware of Underlying Network ’s bootstrapping capability e.g. 3GPP GBA, the oneM2M System shall be able to expose this capability to M2M Services and
Applications through API.
In case where the M2M Devices support USIM / UICC and the Underlying
Networks support network layer security, the oneM2M System shall be able to leverage device
’s USIM / UICC credentials when available to bootstrap M2M security association.
When some of the components of an M2M Solution are not available (e.g. WAN connection lost), the oneM2M System shall be able to support the confidentiality and the integrity of data between authorized components of the
M2M Solution that are available.
The oneM2M System shall support countermeasures against unauthorized access to M2M Services and M2M Application Services.
The oneM2M System shall be able to support mutual authentication for interaction with Underlying Networks, M2M Services and M2M Application
Services.
The oneM2M System shall be able to support mechanisms for protection against misuse, cloning, substitution or theft of security credentials.
The oneM2M System shall protect the use of the identity of an M2M
Stakeholder within the oneM2M System against discovery and misuse by other stakeholders.
The oneM2M System shall be able to support countermeasures against
Impersonation attacks and Replay attacks.
Release
Partly
Implemented in Rel-1
Implemented in Rel-1
Implemented in Rel-1
Implemented in Rel-1
Implemented in Rel-1
Implemented in Rel-1
Implemented in Rel-1
Implemented in Rel-1
Implemented in Rel-1
Implemented in Rel-1
Implemented in Rel-1
Partly implemented in Rel-1
(see note 3)
©
2020 oneM2M Partners Page 2 (of 3)

14
15
Doc# 726969130
Change Request
Requirement ID
SER-013
SER-014
SER-015
Description
The oneM2M System shall be able to provide the mechanism for integritychecking on boot, periodically on run-time, and on software upgrades for software/hardware/firmware component(s) on M2M Device(s).
The oneM2M System shall be able to provide configuration data to an authenticated and authorized M2M Application in the M2M Gateway/Device.
The oneM2M System shall be able to support mechanisms to provide
Subscriber identity to authorized and authenticated M2M Applications when the oneM2M System has the Subscriber ’s consent.
Release
Not implemented in Rel-1
Implemented in Rel-1
Partly implemented in Rel-1
SER-016
SER-017
SER-018
SER-019
The oneM2M System shall be able to support non repudiation within the M2M service layer and in its authorized interactions with the network and application layers.
The oneM2M System shall be able to mitigate threats identified in oneM2M TR-0008 [
Ошибка! Источник ссылки не найден.
] .
The oneM2M System shall enable an M2M Stakeholder to use a resource or service and be accountable for that use without exposing its identity to other stakeholders.
The oneM2M System shall be able to use service-level credentials present inside the M2M device for establishing the M2M Services and Applications level security.
The oneM2M System shall enable legitimate M2M Service Providers to provision their own credentials into the M2M Devices/Gateways.
(see note 4)
Implemented in Rel-1
Implemented in Rel-1
Partly implemented in Rel-1
Implemented in Rel-1
SER-020
SER-021 The oneM2M System shall be able to remotely and securely provision M2M security credentials in M2M Devices and/or M2M Gateways.
Implemented in Rel-1
(see note 5)
Implemented in Rel-1
(see note 5)
Implemented in Rel-1
SER-022 The oneM2M System shall enable M2M Application Service Providers to authorize interactions involving their M2M Applications on supporting entities
(e.g. Devices/ Gateways/ Service infrastructure).
SER-023 Where a Hardware Security Module (HSM) is supported, the oneM2M System shall be able torely onthe HSM to provide local security.
Partly implemented in Rel-1
Partly SER-024 The oneM2M System shall enable M2M Applications to use different and segregated security environments. implemented in Rel-1
Partly SER-025 The oneM2M System shall be able to prevent unauthorized M2M Stakeholders from identifying and/or observing the actions of other M2M Stakeholders in the oneM2M System, e.g. access to resources and services (see note 1). implemented in Rel-1
SER-026 The oneM2M System shall be able to provide mechanism for the protection of confidentiality of the geographical location information (see note 2).
Implemented in Rel-1
NOTE 1: The above requirement does not cover items outside of the oneM2M System, e.g. Underlying
Networks.
NOTE 2: Geographical location information can be more than simply longitude and latitude.
NOTE 3: Partly supported for Impersonation attacks not supported for Replay attacks.
NOTE 4: The oneM2M System has no means to verify a subscriber’s consent. This requirement is only fulfillable at application level.
NOTE 5: Regarding remote provisioning, Release 1 supports remote provisioning of symmetric key credentials only.
©
2020 oneM2M Partners Page 3 (of 3)